0

Hello I am going through some SQL injection examples and I have the following scenario:

In this example, aware of the risk of SQL injection, the developer decided to block single quotes ' by removing any single quote ' in the query. However, there is still a way to break out of the SQL syntax and inject arbitrary SQL.

To do so, you need to think of the query:

SELECT * FROM users WHERE username='[username]' and password='[password]'

The problem here is that you cannot, in theory, break out of the single quotes ' since you cannot inject any quote. However, if you inject a back-slash \, the second ' in the query (the one supposed to finish the string [username] will be escaped and will be closed by the third one (the one supposed to start the string [password].

Doesn't this mean that if I input a "\" on the username field it will automatically break the query? and look something like 

SELECT * FROM users WHERE username='[username] and password=' ..

Am I missing something ? Should I provide the backslash in another way?

user3171222
  • 15
  • 1
  • 2
  • 6
  • 1
    Are you asking how to inject sql or how to protect yourself from sql injection attacks? – Zohar Peled Aug 06 '15 at 08:18
  • 1
    how to inject it not how to protect – user3171222 Aug 06 '15 at 08:19
  • To be honest, you should use parameters to pass the values for username and password. You should avoid building a string with values from user input and execute that against your database - that is the 1st step protecting against sql injection. – Horia Aug 06 '15 at 08:20
  • 1
    I am not looking to protect against, I am looking to complete the exercise and understand how "\" escapes characters, because at the moment it seems it doesn't – user3171222 Aug 06 '15 at 08:21
  • 1
    So you are looking for this? http://blogs.msdn.com/b/raulga/archive/2007/01/04/dynamic-sql-sql-injection.aspx – Eric Aug 06 '15 at 08:25

1 Answers1

-3

Ok I have found the answer: The username should be : \ and password : or 1# Then the query will look something like this 

SELECT * FROM users WHERE username = '\' AND password=' or 1#
user3171222
  • 15
  • 1
  • 2
  • 6
  • A backslash does not escape anything in (standard) SQL. That simply looks for a user with the name `\ ` and `or 1#` is invalid SQL to begin with –  Dec 07 '18 at 07:05